Bug 1274196 - RFE: configure iptables rules on overcloud hosts
Summary: RFE: configure iptables rules on overcloud hosts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 10.0 (Newton)
Assignee: Ben Nemec
QA Contact: Ofer Blaut
URL:
Whiteboard:
: 1284080 (view as bug list)
Depends On:
Blocks: 1305123 1350510
TreeView+ depends on / blocked
 
Reported: 2015-10-22 08:51 UTC by Ofer Blaut
Modified: 2018-05-02 10:36 UTC (History)
13 users (show)

Fixed In Version: openstack-tripleo-heat-templates-5.0.0-1.1.el7ost
Doc Type: Enhancement
Doc Text:
With this update, the iptables firewall on the overcloud controller nodes are enabled to ensure better security. As a result, the necessary ports are opened so that overcloud services will continue to function as before.
Clone Of:
: 1305123 (view as bug list)
Environment:
Last Closed: 2016-12-14 15:16:44 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2948 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 enhancement update 2016-12-14 19:55:27 UTC
OpenStack gerrit 191195 None None None Never
OpenStack gerrit 321833 None None None 2016-06-16 19:47:56 UTC
OpenStack gerrit 330249 None None None 2016-06-16 19:47:24 UTC
OpenStack gerrit 330759 None None None 2016-06-16 19:47:02 UTC
OpenStack gerrit 330760 None None None 2016-06-16 19:47:37 UTC
OpenStack gerrit 383477 None None None 2016-10-27 09:58:47 UTC

Description Ofer Blaut 2015-10-22 08:51:18 UTC
Description of problem:

We should configure iptables rules on ospd overcloud hosts .

upstream patch - https://review.openstack.org/#/c/191195/

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.run sudo iptables  -S  on  controllers/computes/ceph 
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Mike Burns 2015-11-23 12:48:53 UTC
*** Bug 1284080 has been marked as a duplicate of this bug. ***

Comment 3 Dan Sneddon 2016-02-04 15:59:32 UTC
(In reply to Ofer Blaut from comment #0)
> Description of problem:
> 
> We should configure iptables rules on ospd overcloud hosts .

Perhaps we should use iptables rules on OSPD overcloud hosts, but the stated reason for using iptables here is based on a faulty assumption.

The problem is that the system is accepting route advertisements from the router, and adding a route, even if there is no IP on the interface.

In order to turn this behavior on/off, you can edit /proc/sys/net/ipv6/conf/default/accept_ra to be "0" instead of "1".

You can also turn it on/off on a per-interface basis, e.g.:
echo "1" > /proc/sys/net/ipv6/conf/eth0/accept_ra

Comment 4 Keith Basil 2016-02-05 16:22:55 UTC
I would accept Dan Sneddon's suggestion as the fix here.  This doesn't seem like we need to take on iptables config work.   And, if we did, the specifications around what we need to solve are not presented here.

I would suggest we open a new BZ to solve for the route advertisement problem specifically.

Comment 8 Mike Burns 2016-04-07 20:54:03 UTC
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.

Comment 10 Emilien Macchi 2016-06-16 19:49:51 UTC
Ofer, yes, we're still working on it. I did initial work last year and now Ben is working on enabling the feature by default. I updated the list of patches that we need to make this feature really working.

Comment 13 Jaromir Coufal 2016-10-27 08:39:10 UTC
Ack.

Comment 14 James Slagle 2016-10-27 10:01:05 UTC
note the fix for the overcloud is in tripleo-heat-templates, not instack-undercloud

Comment 19 errata-xmlrpc 2016-12-14 15:16:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html

Comment 20 Amit Ugol 2018-05-02 10:36:21 UTC
closed, no need for needinfo anymore.


Note You need to log in before you can comment on or make changes to this bug.